Postal
Email Service Supports Unencrypted Authentication #3190
jshapiro2
started this conversation in
Development discussions
Replies: 1 comment
-
|
Unfortunately I don't believe you can turn that off currently but there is nothing stopping you from changing your own version of Postal. You could remove this line postal/app/lib/smtp_server/client.rb Line 98 in da90e75 and edit this line postal/app/lib/smtp_server/client.rb Line 159 in da90e75 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have now run security scans on multiple versions of POSTAL including version 3.3.4. I have done all changes to Caddyfile and postal.yml postal to enforce this. Need postal to stop passing back "PLAIN".
Here is the issue
SMTP Unencrypted Cleartext Login
CVSS Rating 4.8 (v2)
The remote SMTP server accepts logins via the following cleartext authentication mechanisms over unencrypted connections:
PLAIN
LOGIN
The remote SMTP server supports the 'STARTTLS' command but isn't enforcing the use of it for the cleartext authentication mechanisms.
Beta Was this translation helpful? Give feedback.
All reactions